PwC’s Sivarama Krishnan on how Indian CIOs aren’t investing enough in monitoring and compliance for security.

CIO: Is there too much hype around security? Are CIOs suffering from security-fatigue?

Sivarama Krishnan: That’s partly true. Security has become paranoia. Maybe it is because security priorities are not set in relation to the size of impact. Let me give you an example: the security on a print and file server and SAP server is the same despite the fact that the importance of the latter is more.

What is the cost of this one-hammer-for-everything approach?

This impact is visible from the results of the CIO-PwC security survey. It’s clear that the level of satisfaction or safety-perception is decreasing despite increasing security spends. We spend so much money, time and effort in security but it’s probably not channeled in the right areas.

So where do you feel that CIOs should focus their spending?

Unfortunately, security spending is still focused on technology. But security is not about technology alone. In fact, it is less about technology and more about people and processes.

Having said that, the money that went into technology for security was needed. In the past, India needed those infrastructural barriers. Over the last five years, this infrastructure has been created, so now it is time for organizations to move towards creating security hygiene, creating discipline around security within the organization. This is a huge governance issue.

Are you saying that Indian CIOs have already spent enough in technology for security?

I think, relatively, they have spent enough. I’m not saying they have done enough spending, but that some of the spending should be focused on discipline and processes.

What about monitoring? Is enough happening in that space?

What does a tool do? A tool helps increase effectiveness. What has happened is that we have invested in technologies like proxies and firewalls, but we don’t use the information these technologies produce to increase effectiveness. This has to be improved.

You have been talking only about internal users and not so much about external threats. Why?

That’s because external threats are controllable by technology. And from an Indian perspective, external threats aren’t that high. Our online activities are far lower than much of the world.

We’ve also seen that quite a lot of threats don’t emanate from technology know-how of hackers — it’s more about a lack of awareness by users. Every year our survey returns with this fact: 65 percent of incidents are caused by internal users.

But surely enough has been said to caution users.

Users can’t be blamed entirely. Organizations help them make mistakes. Look at the number of passwords users are required to remember on a yearly basis — it’s about 15. And that’s only work related passwords. On a given day, users have to remember between 20 to 25 passwords.

In this paranoia of security we have created, we have created too much complexity. We have made it hard for our end users. Simplifying these password protocols will probably encourage users to employ stronger passwords.